When a user interacts with certain sites on the Internet such as service providers, which are also referred to as relying parties, the service provider often expects to know something about the user that is requesting the services of the provider. The typical approach for a service provider is to require the user to log into or authenticate to the service provider's computer system. But this approach, while satisfactory for the service provider, is less than ideal for the user.
For example, the user must remember a username and password for each service provider that expects such information. Given that different computer systems impose different requirements, along with the possibility that another user might have already chosen the same username, the user might not be able to use the same username/password combination for each such computer system. There is also the related problem that, if the user uses the same username/password combination on multiple computer systems, someone who hacks one such computer system would likely be able to access other such computer systems.
It is estimated that an average user has over 100 accounts on the Internet. For users, this is becoming an increasingly frustrating problem to deal with. Passwords and account names are too hard to remember. Second, the user typically has no control over how the service provider uses the information it stores. If the service provider uses the stored information in a way the user does not want, for example, the user has relatively little ability to prevent such abuse—and essentially no recourse after the fact.
In the past few years, the networking industry has developed the concept of information cards to tackle these problems. Information cards are a very familiar metaphor for users and the idea is gaining rapid momentum. Information cards allow users to manage their identity information and control how it is released. This gives users greater convenience in organizing their multiple personae, their preferences, and their relationships with vendors and identity providers. Interactions with on-line vendors are greatly simplified.
There are currently two kinds of information cards: personal cards (or self-issued cards) and managed cards (or cards that are issued by an identity provider (IdP) or security token service (STS)). A personal card contains self-asserted identity information. In other words, the person issues the card and is the authority for the identity information it contains. In contrast, the managed card is issued by an identity provider, which provides the identity information and asserts its validity.
When a relying party requests identity information from the user, a tool known as an identity selector or card selector can assist the user in selecting an appropriate information card. For example, the card selector can present to the user one or more information cards that satisfy a given security policy and claim requirements of the relying party. When a managed card is selected, the card selector can communicate with the identity provider to obtain a security token that contains the needed information.
While information card technologies are becoming more widespread in applications, there remain certain problems for which no adequate solutions exist. For example, in today's systems, each information card represents a single digital identity (e.g., persona and/or role(s)). When a card is selected (e.g., via a card selector), it is used to produce the claims needed for the relying party—but only for the single digital identity. Thus, in situations where a user wishes to maintain multiple personae and/or roles, no matter how similar they may be to each other, he or she is burdened with an undesirable need to obtain and manage (e.g., keep track of) multiple information cards (e.g., one for each digital identity).
There remains a need for a way to address these and other problems associated with the prior art.